The state of the war against Ukraine has been on everyone's mind for several weeks now, InQuest Labs has been tracking the activity on the cyber-front with a specific focus on the moves made by APTs following the invasion. While the rest of the world is seeing and feeling the effects of this escalation with rising fuel prices and supply line constraints, Ukrainian and Russian citizens alike are clinging to their livelihoods due to the contempt of the Russian leadership.

As many within the research community have ties to or may be personally affected by this crisis, we felt it was imperative to share this intelligence information as a result of continuous communal efforts because it could very well save lives as well as contribute to a resolution. Our endeavor with this blog is to document and expose campaigns and their associated TTPs and IOCs as well as provide periodic updates as the situation continues to develop and threat actors pivot from one tactic or technique to another.

Read the Ukraine Cyber War Overview to learn more!

InQuest Email Security Assessment

This month we harvested 2946 samples from the wild capable of bypassing either Microsoft or Google. Of those, Microsoft missed 2213 (75%), and Google missed 795 (27%). The distribution of misses by file type is depicted below:

InQuire for a free, personalized email security assessment!

Latest InQuest™ Blog Posts

Calculating Return-on-Investment (ROI)

Posted on 2022-04-07 by Josiah Smith

To help guide the conversation and thought process, InQuest has developed multiple ROI Calculators that illustrate benefits with regard to time saved, volume processed, and capacity for organizational directors, hiring managers, threat hunters, security operation center (SOC) analysts, and email administrators. We provide sliders across these calculators for tuning variables to match your environment and level of skepticism around vendor claims.

Nobelium - Israeli Embassy Maldoc

Posted on 2022-04-18 by Dmitry Melikov

A few days ago, we discovered an interesting sample that we believe is part of the Nobelium campaign, also known as Dark Halo. The document was uploaded to the VirusTotal service from Spain. It contains an attractive visual lure representing a document from the Israeli embassy. We will look at the threat vector and provide some indicators of attack that can help defenders identify or respond.

InQuest™ Labs Research Spotlight

DripLoader

Evasive shellcode loader for bypassing event-based injection detection, without necessarily suppressing event collection.

memray

JC JSONifies the output of many CLI tools and file-types for easier parsing in scripts.

Bypass Paywalls

Bypass Paywalls is a web browser extension to help bypass paywalls for selected sites.

Global Security Events

2021 Top Routinely Exploited Vulnerabilities

Log4Shell, ProxyShell, ProxyLogon, ZeroLogon, and flaws in Zoho ManageEngine AD SelfService Plus, Atlassian Confluence, and VMware vSphere Client emerged as some of the top exploited security vulnerabilities in 2021.

Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets

The North Korean-linked Stonefly group is continuing to mount espionage attacks against highly specialized engineering companies with a likely goal of obtaining sensitive intellectual property.

The Air Force is trusting the internet to name its ridiculous new cybersecurity mascot

That is why the Air Force apparently needs a cybersecurity mascot. A caped robot with a shield and lightning bolt adorned helmet, here to ask you if you’ve tried turning your computer off and on again and presumably solving the myriad of technical issues that come with the territory when you’re using decades-old software.

Useful Links

Support

Social

Twitter

GitHub

InQuest™ Insider - Your monthly resource for the latest in cyber security news, trends, tips and tools. Subscribe here.

Unsubscribe here.